A&M posted 3,000 people's personal data

February 16, 2008

By Holly Huffman, Eagle Staff Writer


A computer file containing the names and Social Security numbers of 3,000 current and former Texas A&M University agricultural employees was inadvertently posted online and accessible to the public for three weeks.

Texas A&M administrators said the personal information could not be directly viewed on Web pages, but was obtainable through sophisticated software designed to search databases and hijack such information.

Though university officials don't believe any of the information was stolen, they are encouraging employees to closely monitor their accounts for identity theft.

"It's certainly a possibility," said Dave Mayes, a spokesman for Texas A&M's agricultural communications department. "The prudent course then was to take action that essentially assumed the data was made available to somebody who shouldn't have had it."

Mayes said it appears the personal information was accidentally uploaded to the Internet during a recent computer server update. Only certain items were to be updated, but for some reason the eight-year-old, dormant file that contained the information was linked to the Web server during the update, he said.

It remains unclear why or how the file was updated. The original purpose of the file -- which Mayes described as a "data dump" -- also was unclear, though he noted the file had been created intentionally.

The information was linked to the Web server for 21 days before a red flag was noticed during a routine system check. That discovery was at 3 p.m. Tuesday, and the information was removed by 3:30 p.m. that same day, Mayes said.

An e-mail was sent Wednesday evening to all AgriLife employees notifying them of the incident, Mayes said. Another e-mail for those on the list was sent Thursday.

"We are not currently aware of any unauthorized use of this information," Mark Hussey, interim vice chancellor and interim dean of the College of Agriculture and Life Sciences, said in a statement released Friday. "But we are taking all steps necessary to notify the affected individuals, and offering to help them protect their personal information. We sincerely regret this inadvertent disclosure occurred, and we are taking steps to ensure this doesn't happen again."

Combined, Texas AgriLife Extension and Texas AgriLife Research -- formerly Texas Cooperative Extension and Texas Agricultural Experiment Station, respectively -- and the College of Agriculture and Life Sciences has 4,728 employees, according to A&M officials. The data leak affects 3,000 current and former employees from the three agencies.

Though the review is not complete, Mayes said the file doesn't appear to contain names and Social Security numbers of employees hired after May 1, 1999. But because the list is so old, it has been difficult to track down everyone on it, Mayes said, explaining that officials don't have current information for some former employees.

Mayes said it was unclear Friday why the file was still on the computer. It also was unclear if anyone would be disciplined as a result of the error.

"That's still under review," he said. "Our first priority was to fix the problem. The second priority has been to now figure out how it happened. That's the stage we're in now."

main page ATTRITION feedback